Microsoft-Windows-Application-Experience

116 events across 10 channels

Event	Title	Channel	Sample
50	PCA was requested to refresh the program cache.	Analytic	N
51	PCA was informed that the program cache was refreshed.	Analytic	N
60	PCA dialog button response ChainId.	Analytic	N
70	PCA triggered SIUF question was asked.	Analytic	N
71	task_071	Analytic	N
72	task_072	Analytic	N
73	task_073	Analytic	N
74	task_074	Analytic	N
75	task_075	Analytic	N
76	task_076	Analytic	N
77	task_077	Analytic	N
78	task_078	Analytic	N
79	task_079	Analytic	N
80	task_080	Analytic	N
81	PCA triggered SIUF question was answered.	Analytic	N
100	The Program Compatibility Assistant was invoked to correct a compatibility …	Program-Compatibility-Assistant	N
101	The Program Compatibility Assistant was invoked to correct a compatibility …	Program-Compatibility-Assistant	N
102	The Program Compatibility Assistant was invoked due to an unsigned driver …	Program-Compatibility-Assistant	N
103	The Program Compatibility Assistant was not invoked because the application has …	Program-Compatibility-Assistant	N
104	The Program Compatibility Assistant was not invoked as the application executed …	Program-Compatibility-Assistant	N
105	The Program Compatibility Assistant was invoked to correct a compatibility …	Program-Compatibility-Assistant	N
201	Event ID 201	System	Y
206	Event ID 206	System	Y
207	The Program Compatibility Assistant was requested to monitor ExecutablePath, but …	Program-Compatibility-Assistant	N
208	The Program Compatibility Assistant was requested to monitor ExecutablePath, but …	Program-Compatibility-Assistant	N
209	The Program Compatibility Assistant was requested to monitor ExecutablePath, but …	Program-Compatibility-Assistant	N
210	The Program Compatibility Assistant was requested to monitor ExecutablePath, but …	Program-Compatibility-Assistant	N
211	The Program Compatibility Assistant was requested to monitor ExecutablePath, but …	Program-Compatibility-Assistant	N
212	The Program Compatibility Assistant was requested to monitor ExecutablePath, but …	Program-Compatibility-Assistant	N
213	The Program Compatibility Assistant has added ExecutablePath to quarantine.	Program-Compatibility-Assistant	N
214	The Program Compatibility Assistant has removed ExecutablePath from quarantine.	Program-Compatibility-Assistant	N
215	The Program Compatibility Assistant was requested to monitor ExecutablePath, but …	Program-Compatibility-Assistant	N
300	The Program Compatibility Assistant was requested to monitor ExecutablePath, but …	Program-Compatibility-Assistant	N
301	The Program Compatibility Assistant was requested to monitor ExecutablePath, but …	Program-Compatibility-Assistant	N
302	The Program Compatibility Assistant was requested to monitor ExecutablePath, but …	Program-Compatibility-Assistant	N
303	The Program Compatibility Assistant was requested to monitor ExecutablePath, but …	Program-Compatibility-Assistant	N
304	The Program Compatibility Assistant was requested to monitor ExecutablePath, but …	Program-Compatibility-Assistant	N
305	The Program Compatibility Assistant was requested to monitor ExecutablePath, but …	Program-Compatibility-Assistant	N
306	The Program Compatibility Assistant was requested to monitor ExecutablePath, but …	Program-Compatibility-Assistant	N
400	The Program Compatibility Assistant attempted to connect an event for process ID …	Program-Compatibility-Assistant	N
500	Compatibility fix applied to CompatibilityFixEvent.ExePath.	Program-Telemetry	Y
501	Compatibility fix applied to Flags.	Operational	N
502	Compatibility fix applied to PackageCode.	Program-Telemetry	N
503	Compatibility fix applied to PackageCode.	Operational	N
504	PCA was informed about fix FixName applied to process.	Analytic	N
505	Compatibility fix applied to CompatibilityFixEvent.ExePath.	Program-Telemetry	Y
600	An instance of the Steps Recorder ran with the following information.	Steps-Recorder	N
601	An instance of the Steps Recorder terminated with the following error code: …	Steps-Recorder	N
700	The Application Impact Telemetry (AIT) Agent terminated with the following error …	Program-Telemetry	N
701	The Application Impact Telemetry (AIT) Agent is not running because AIT is …	Program-Telemetry	N
702	The Application Impact Telemetry (AIT) Agent is stopping because another …	Program-Telemetry	N
703	The Application Impact Telemetry (AIT) Agent was unable to parse the …	Program-Telemetry	N
704	The Application Impact Telemetry (AIT) Agent was unable to process the logs …	Program-Telemetry	N
705	The Application Impact Telemetry (AIT) Agent was unable to start application …	Program-Telemetry	N
706	The Application Impact Telemetry (AIT) Agent was unable to log application …	Program-Telemetry	N
707	The Application Impact Telemetry (AIT) Agent was unable to start system …	Program-Telemetry	N
708	The Application Impact Telemetry (AIT) Agent was unable to log system telemetry …	Program-Telemetry	N
800	An instance of Program Data Updater (PDU) ran with the following information: …	Program-Inventory	N
900	An Internet Explorer add-on was installed on the system.	Program-Inventory	N
901	An Internet Explorer add-on was updated on the system.	Program-Inventory	N
902	An Internet Explorer add-on was removed from the system.	Program-Inventory	N
903	A program was installed on the system.	Program-Inventory	N
904	A program was installed on the system.	Program-Inventory	N
905	A program was updated on the system.	Program-Inventory	N
906	A program was updated on the system.	Program-Inventory	N
907	A program was removed from the system.	Program-Inventory	N
908	A program was removed from the system.	Program-Inventory	N
909	AMI cache update failure.	Compatibility-Infrastructure-Debug	N
910	task_0910	Operational	N
911	task_0911	Operational	N
1003	Installer cancel click detected.	Analytic	N
1004	InstallerShield detected.	Analytic	N
1005	File installed.	Analytic	N
1006	New arp key.	Analytic	N
1100	DirectX detection: HighDPIAware.	Analytic	N
1101	DirectX detection: MaximizedWindowedMode.	Analytic	N
1102	DirectX detection: AdaptWindowToDisplayMode.	Analytic	N
2001	The Application Impact Telemetry (AIT) Static Analysis tool ran with the …	Program-Telemetry	N
2002	ErrorMessage.	Compatibility-Infrastructure-Debug	N
2003	The Application Impact Telemetry (AIT) Static Analysis tool ran with the …	Program-Telemetry	N
2005	QuirkName.	Operational	Y
5001	The Program Compatibility Troubleshooter was invoked to correct a compatibility …	Program-Compatibility-Troubleshooter	N
5002	The Program Compatibility Troubleshooter queried the Compatibility Online …	Program-Compatibility-Troubleshooter	N
5003	The Program Compatibility Troubleshooter queried the application genome for …	Program-Compatibility-Troubleshooter	N
5004	Program Compatibility Troubleshooter debug event.	Program-Compatibility-Troubleshooter	N
8000	Detector shim: SHORT_RUN_TIME.	Analytic	N
8001	Detector shim: ACCESS_DENIED.	Analytic	N
8002	Detector shim: BLACK_SCREEN.	Analytic	N
8003	Detector shim: WIN32_EXCEPTION: ExtraDataSize.	Analytic	N
8004	Detector shim: GLOBAL_OBJECT.	Analytic	N
8005	Detector shim: PRIVILEGE_CHECK.	Analytic	N
8006	Detector shim: MESSAGE_BOX_VERSION.	Analytic	N
8007	Detector shim: MESSAGE_BOX_PRIVILEGE.	Analytic	N
8008	Detector shim: MESSAGE_BOX_ERROR_ICON.	Analytic	N
8010	Detector shim: REG_EXPAND_SZ.	Analytic	N
8011	Detector shim: DWM_8AND16_MODE.	Analytic	N
8012	Detector shim: KERNEL_DRIVER.	Analytic	N
16000	task_016000	Operational	N
16001	task_016001	Operational	N
16002	task_016002	Operational	N
16003	task_016003	Operational	N
16010	task_016010	Operational	N
16011	task_016011	Operational	N
16012	task_016012	Operational	N
16100	task_016100	Operational	N
16101	task_016101	Operational	N
16102	task_016102	Operational	N
16103	task_016103	Operational	N
16110	task_016110	Operational	N
16111	task_016111	Operational	N
16112	task_016112	Operational	N
16113	task_016113	Operational	N
32764	Message.	Compatibility-Infrastructure-Debug	N
32765	Chain: Chain, Process: Process, Type: Type.	Trace	Y
32766	Message.	Analytic	N
32767	Message.	Compatibility-Infrastructure-Debug	N

Event ID 50: PCA was requested to refresh the program cache.

Provider: Microsoft-Windows-Application-Experience
Channel: Analytic

Description

PCA was requested to refresh the program cache.

Message #

PCA was requested to refresh the program cache.

Event ID 51: PCA was informed that the program cache was refreshed.

Provider: Microsoft-Windows-Application-Experience
Channel: Analytic

Description

PCA was informed that the program cache was refreshed.

Message #

PCA was informed that the program cache was refreshed.

Event ID 60: PCA dialog button response ChainId.

Provider: Microsoft-Windows-Application-Experience
Channel: Analytic

Description

PCA dialog button response ChainId.

Message #

PCA dialog button response %2.

Fields #

Name	Description
`DialogGuid` GUID
`ChainId` UInt32
`ButtonId` UInt32

Event ID 70: PCA triggered SIUF question was asked.

Provider: Microsoft-Windows-Application-Experience
Channel: Analytic

Description

PCA triggered SIUF question was asked.

Message #

PCA triggered SIUF question was asked.

Fields #

Name	Description
`QuestionId` GUID
`QuestionText` UnicodeString

Event ID 71: task_071

Provider: Microsoft-Windows-Application-Experience
Channel: Analytic

Event ID 72: task_072

Provider: Microsoft-Windows-Application-Experience
Channel: Analytic

Event ID 73: task_073

Provider: Microsoft-Windows-Application-Experience
Channel: Analytic

Event ID 74: task_074

Provider: Microsoft-Windows-Application-Experience
Channel: Analytic

Event ID 75: task_075

Provider: Microsoft-Windows-Application-Experience
Channel: Analytic

Event ID 76: task_076

Provider: Microsoft-Windows-Application-Experience
Channel: Analytic

Event ID 77: task_077

Provider: Microsoft-Windows-Application-Experience
Channel: Analytic

Event ID 78: task_078

Provider: Microsoft-Windows-Application-Experience
Channel: Analytic

Event ID 79: task_079

Provider: Microsoft-Windows-Application-Experience
Channel: Analytic

Event ID 80: task_080

Provider: Microsoft-Windows-Application-Experience
Channel: Analytic

Event ID 81: PCA triggered SIUF question was answered.

Provider: Microsoft-Windows-Application-Experience
Channel: Analytic

Description

PCA triggered SIUF question was answered.

Message #

PCA triggered SIUF question was answered.

Fields #

Name	Description
`QuestionId` GUID
`QuestionKind` UnicodeString
`QuestionValue` UInt32
`FollowupValue` UnicodeString

Event ID 100: The Program Compatibility Assistant was invoked to correct a compatibility problem.

Provider: Microsoft-Windows-Application-Experience
Channel: Program-Compatibility-Assistant

Description

The Program Compatibility Assistant was invoked to correct a compatibility problem. Information about the application is below.

Message #

The Program Compatibility Assistant was invoked to correct a compatibility problem. Information about the application is below.

Application name: %1
Application version: %2
Executable path: %3
Scenario ID: %4
User action: %5
User action ID: %6
Compatibility layer: %7
FileID: %8
ProgramID: %9

Fields #

Name	Description
`ApplicationName` UnicodeString
`ApplicationVersion` UnicodeString
`ExecutablePath` UnicodeString
`ScenarioId` UnicodeString
`UserAction` UnicodeString
`UserActionID` UnicodeString
`CompatibilityLayer` UnicodeString
`FileID` UnicodeString
`ProgramID` UnicodeString

Event ID 101: The Program Compatibility Assistant was invoked to correct a compatibility problem.

Provider: Microsoft-Windows-Application-Experience
Channel: Program-Compatibility-Assistant

Message #

The Program Compatibility Assistant was invoked to correct a compatibility problem. Information about the application is below.Application name: {ApplicationName}Application version: {ApplicationVersion}Executable path: {ExecutablePath}Scenario ID: {ScenarioId}User action: {UserAction}User action ID: {UserActionID}Compatibility layer: {CompatibilityLayer}Deprecated component: {DeprecatedComponent}FileID: {FileID}ProgramID: {ApplicationName}0

Fields #

Name	Description
`ApplicationName`
`ApplicationVersion`
`ExecutablePath`
`ScenarioId`
`UserAction`
`UserActionID`
`CompatibilityLayer`
`DeprecatedComponent`
`FileID`

Event ID 102: The Program Compatibility Assistant was invoked due to an unsigned driver install.

Provider: Microsoft-Windows-Application-Experience
Channel: Program-Compatibility-Assistant

Message #

The Program Compatibility Assistant was invoked due to an unsigned driver install. This version of Windows requires all drivers to have a valid digital signature. Information about the driver is below.Driver: {DriverName}Service: {ServiceName}Publisher: {PublisherName}Location: {DriverPath}Version: {DriverVersion}This driver is unavailable and the program that uses this driver might not work correctly.

Fields #

Name	Description
`DriverName`
`ServiceName`
`PublisherName`
`DriverPath`
`DriverVersion`

Event ID 103: The Program Compatibility Assistant was not invoked because the application has been already handled previously.

Provider: Microsoft-Windows-Application-Experience
Channel: Program-Compatibility-Assistant

Description

The Program Compatibility Assistant was not invoked because the application has been already handled previously. Information about the application is below.

Message #

The Program Compatibility Assistant was not invoked because the application has been already handled previously. Information about the application is below.

Application name: %1
Application version: %2
Executable path: %3
Scenario ID: %4
User action: %5
Compatibility layer: %6

Fields #

Name	Description
`ApplicationName` UnicodeString
`ApplicationVersion` UnicodeString
`ExecutablePath` UnicodeString
`ScenarioId` UnicodeString
`UserAction` UnicodeString
`UserActionID` UnicodeString
`CompatibilityLayer` UnicodeString
`FileID` UnicodeString
`ProgramID` UnicodeString

Event ID 104: The Program Compatibility Assistant was not invoked as the application executed correctly.

Provider: Microsoft-Windows-Application-Experience
Channel: Program-Compatibility-Assistant

Description

The Program Compatibility Assistant was not invoked as the application executed correctly. Information about the application is below.

Message #

The Program Compatibility Assistant was not invoked as the application executed correctly. Information about the application is below.

Application name: %1
Application version: %2
Executable path: %3
Scenario ID: %4
User action: %5
Compatibility layer: %6

Fields #

Name	Description
`ApplicationName` UnicodeString
`ApplicationVersion` UnicodeString
`ExecutablePath` UnicodeString
`ScenarioId` UnicodeString
`UserAction` UnicodeString
`UserActionID` UnicodeString
`CompatibilityLayer` UnicodeString
`FileID` UnicodeString
`ProgramID` UnicodeString

Event ID 105: The Program Compatibility Assistant was invoked to correct a compatibility problem.

Provider: Microsoft-Windows-Application-Experience
Channel: Program-Compatibility-Assistant

Description

The Program Compatibility Assistant was invoked to correct a compatibility problem. Information about the application is below.

Message #

The Program Compatibility Assistant was invoked to correct a compatibility problem. Information about the application is below.

Application name: %1
Application version: %2
Executable path: %3
Scenarios code: %4
Deprecated Components: %5
User action ID: %6
Compatibility layers recommended: %7
FileID: %8
ProgramID: %9

Fields #

Name	Description
`ApplicationName` UnicodeString
`ApplicationVersion` UnicodeString
`ExecutablePath` UnicodeString
`ScenarioId` UnicodeString
`UserAction` UnicodeString
`UserActionID` UnicodeString
`CompatibilityLayer` UnicodeString
`FileID` UnicodeString
`ProgramID` UnicodeString

Event ID 201

Provider: Microsoft-Windows-Application-Experience
Channel: System
Level: Informational

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Application-Experience",
    "guid": "EEF54E71-0661-422D-9A98-82FD4940B820",
    "event_source_name": "",
    "event_id": 201,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2013-10-23T16:24:25.239375Z",
    "event_record_id": 380,
    "correlation": {},
    "execution": {
      "process_id": 892,
      "thread_id": 3532
    },
    "channel": "System",
    "computer": "IE8Win7",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {}
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 206

Provider: Microsoft-Windows-Application-Experience
Channel: System
Level: Informational

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Application-Experience",
    "guid": "EEF54E71-0661-422D-9A98-82FD4940B820",
    "event_source_name": "",
    "event_id": 206,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2013-10-23T22:03:32.528125Z",
    "event_record_id": 2787,
    "correlation": {},
    "execution": {
      "process_id": 808,
      "thread_id": 2792
    },
    "channel": "System",
    "computer": "IE8Win7",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {}
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 207: The Program Compatibility Assistant was requested to monitor ExecutablePath, but ignored the request because the application is excluded in the registry.

Provider: Microsoft-Windows-Application-Experience
Channel: Program-Compatibility-Assistant

Description

The Program Compatibility Assistant was requested to monitor ExecutablePath, but ignored the request because the application is excluded in the registry.

Message #

The Program Compatibility Assistant was requested to monitor %1, but ignored the request because the application is excluded in the registry.

Fields #

Name	Description
`ExecutablePath` UnicodeString

Event ID 208: The Program Compatibility Assistant was requested to monitor ExecutablePath, but ignored the request because of the extension of the executable.

Provider: Microsoft-Windows-Application-Experience
Channel: Program-Compatibility-Assistant

Description

The Program Compatibility Assistant was requested to monitor ExecutablePath, but ignored the request because of the extension of the executable.

Message #

The Program Compatibility Assistant was requested to monitor %1, but ignored the request because of the extension of the executable.

Fields #

Name	Description
`ExecutablePath` UnicodeString

Event ID 209: The Program Compatibility Assistant was requested to monitor ExecutablePath, but ignored the request because the executable has a UAC manifest.

Provider: Microsoft-Windows-Application-Experience
Channel: Program-Compatibility-Assistant

Description

The Program Compatibility Assistant was requested to monitor ExecutablePath, but ignored the request because the executable has a UAC manifest.

Message #

The Program Compatibility Assistant was requested to monitor %1, but ignored the request because the executable has a UAC manifest.

Fields #

Name	Description
`ExecutablePath` UnicodeString

Event ID 210: The Program Compatibility Assistant was requested to monitor ExecutablePath, but ignored the request because the application has a compatibility fix applied to...

Provider: Microsoft-Windows-Application-Experience
Channel: Program-Compatibility-Assistant

Description

The Program Compatibility Assistant was requested to monitor ExecutablePath, but ignored the request because the application has a compatibility fix applied to it.

Message #

The Program Compatibility Assistant was requested to monitor %1, but ignored the request because the application has a compatibility fix applied to it.

Fields #

Name	Description
`ExecutablePath` UnicodeString

Event ID 211: The Program Compatibility Assistant was requested to monitor ExecutablePath, but ignored the request because the application depends on the Windows Installer s...

Provider: Microsoft-Windows-Application-Experience
Channel: Program-Compatibility-Assistant

Description

The Program Compatibility Assistant was requested to monitor ExecutablePath, but ignored the request because the application depends on the Windows Installer service (MSI).

Message #

The Program Compatibility Assistant was requested to monitor %1, but ignored the request because the application depends on the Windows Installer service (MSI).

Fields #

Name	Description
`ExecutablePath` UnicodeString

Event ID 212: The Program Compatibility Assistant was requested to monitor ExecutablePath, but ignored the request because the executable has a current SwitchBack context.

Provider: Microsoft-Windows-Application-Experience
Channel: Program-Compatibility-Assistant

Description

The Program Compatibility Assistant was requested to monitor ExecutablePath, but ignored the request because the executable has a current SwitchBack context.

Message #

The Program Compatibility Assistant was requested to monitor %1, but ignored the request because the executable has a current SwitchBack context.

Fields #

Name	Description
`ExecutablePath` UnicodeString

Event ID 213: The Program Compatibility Assistant has added ExecutablePath to quarantine.

Provider: Microsoft-Windows-Application-Experience
Channel: Program-Compatibility-Assistant

Description

The Program Compatibility Assistant has added ExecutablePath to quarantine.

Message #

The Program Compatibility Assistant has added %1 to quarantine.

Fields #

Name	Description
`ExecutablePath` UnicodeString

Event ID 214: The Program Compatibility Assistant has removed ExecutablePath from quarantine.

Provider: Microsoft-Windows-Application-Experience
Channel: Program-Compatibility-Assistant

Description

The Program Compatibility Assistant has removed ExecutablePath from quarantine.

Message #

The Program Compatibility Assistant has removed %1 from quarantine.

Fields #

Name	Description
`ExecutablePath` UnicodeString

Event ID 215: The Program Compatibility Assistant was requested to monitor ExecutablePath, but ignored the request because the executable has a UAC manifest.

Provider: Microsoft-Windows-Application-Experience
Channel: Program-Compatibility-Assistant

Description

The Program Compatibility Assistant was requested to monitor ExecutablePath, but ignored the request because the executable has a UAC manifest.

Message #

The Program Compatibility Assistant was requested to monitor %1, but ignored the request because the executable has a UAC manifest.

Fields #

Name	Description
`ExecutablePath` UnicodeString

Event ID 300: The Program Compatibility Assistant was requested to monitor ExecutablePath, but ignored the request because the PCA is disabled by group policy.

Provider: Microsoft-Windows-Application-Experience
Channel: Program-Compatibility-Assistant

Description

The Program Compatibility Assistant was requested to monitor ExecutablePath, but ignored the request because the PCA is disabled by group policy.

Message #

The Program Compatibility Assistant was requested to monitor %1, but ignored the request because the PCA is disabled by group policy.

Fields #

Name	Description
`ExecutablePath` UnicodeString

Event ID 301: The Program Compatibility Assistant was requested to monitor ExecutablePath, but ignored the request because the application already exists within a job object.

Provider: Microsoft-Windows-Application-Experience
Channel: Program-Compatibility-Assistant

Description

The Program Compatibility Assistant was requested to monitor ExecutablePath, but ignored the request because the application already exists within a job object.

Message #

The Program Compatibility Assistant was requested to monitor %1, but ignored the request because the application already exists within a job object.

Fields #

Name	Description
`ExecutablePath` UnicodeString

Event ID 302: The Program Compatibility Assistant was requested to monitor ExecutablePath, but ignored the request because the application is a 64-bit application.

Provider: Microsoft-Windows-Application-Experience
Channel: Program-Compatibility-Assistant

Description

The Program Compatibility Assistant was requested to monitor ExecutablePath, but ignored the request because the application is a 64-bit application.

Message #

The Program Compatibility Assistant was requested to monitor %1, but ignored the request because the application is a 64-bit application.

Fields #

Name	Description
`ExecutablePath` UnicodeString

Event ID 303: The Program Compatibility Assistant was requested to monitor ExecutablePath, but ignored the request because the application is on a network path.

Provider: Microsoft-Windows-Application-Experience
Channel: Program-Compatibility-Assistant

Description

The Program Compatibility Assistant was requested to monitor ExecutablePath, but ignored the request because the application is on a network path.

Message #

The Program Compatibility Assistant was requested to monitor %1, but ignored the request because the application is on a network path.

Fields #

Name	Description
`ExecutablePath` UnicodeString

Event ID 304: The Program Compatibility Assistant was requested to monitor ExecutablePath, but ignored the request because the application compatibility infrastructure is di...

Provider: Microsoft-Windows-Application-Experience
Channel: Program-Compatibility-Assistant

Description

The Program Compatibility Assistant was requested to monitor ExecutablePath, but ignored the request because the application compatibility infrastructure is disabled.

Message #

The Program Compatibility Assistant was requested to monitor %1, but ignored the request because the application compatibility infrastructure is disabled.

Fields #

Name	Description
`ExecutablePath` UnicodeString

Event ID 305: The Program Compatibility Assistant was requested to monitor ExecutablePath, but ignored the request because the application is protected by Windows Resource P...

Provider: Microsoft-Windows-Application-Experience
Channel: Program-Compatibility-Assistant

Description

The Program Compatibility Assistant was requested to monitor ExecutablePath, but ignored the request because the application is protected by Windows Resource Protection.

Message #

The Program Compatibility Assistant was requested to monitor %1, but ignored the request because the application is protected by Windows Resource Protection.

Fields #

Name	Description
`ExecutablePath` UnicodeString

Event ID 306: The Program Compatibility Assistant was requested to monitor ExecutablePath, but ignored the request because the application has been excluded from the PCA by ...

Provider: Microsoft-Windows-Application-Experience
Channel: Program-Compatibility-Assistant

Description

The Program Compatibility Assistant was requested to monitor ExecutablePath, but ignored the request because the application has been excluded from the PCA by Microsoft.

Message #

The Program Compatibility Assistant was requested to monitor %1, but ignored the request because the application has been excluded from the PCA by Microsoft.

Fields #

Name	Description
`ExecutablePath` UnicodeString

Event ID 400: The Program Compatibility Assistant attempted to connect an event for process ID ProcessId, but the Program Compatibility Assistant service was unable to ...

Provider: Microsoft-Windows-Application-Experience
Channel: Program-Compatibility-Assistant

Description

The Program Compatibility Assistant attempted to connect an event for process ID ProcessId, but the Program Compatibility Assistant service was unable to locate the process.

Message #

The Program Compatibility Assistant attempted to connect an event for process ID %1, but the Program Compatibility Assistant service was unable to locate the process.

Fields #

Name	Description
`ProcessId` UInt32

Event ID 500: Compatibility fix applied to CompatibilityFixEvent.ExePath.

Provider: Microsoft-Windows-Application-Experience
Channel: Program-Telemetry
Level: Informational

Description

Compatibility fix applied to CompatibilityFixEvent.ExePath.

Message #

Compatibility fix applied to %5.
Fix information: %6, %3, %4.

Fields #

Name	Description
`ProcessId`
`StartTime`
`FixID`
`Flags`
`ExePath`
`FixName`

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Application-Experience",
    "guid": "EEF54E71-0661-422D-9A98-82FD4940B820",
    "event_source_name": "",
    "event_id": 500,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 576460752303423488,
    "time_created": "2023-11-06T02:01:06.316061+00:00",
    "event_record_id": 268,
    "correlation": {},
    "execution": {
      "process_id": 10532,
      "thread_id": 16892
    },
    "channel": "Microsoft-Windows-Application-Experience/Program-Telemetry",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-21-1992711665-1655669231-58201500-1000"
    }
  },
  "user_data": {
    "CompatibilityFixEvent": {
      "ProcessId": 10532,
      "StartTime": 1699236066.0862,
      "FixID": "AD24F32A-1C4D-4D71-AF4E-1D9031C04F14",
      "Flags": 65793,
      "ExePath": "C:\\Program Files (x86)\\OpenOffice 4\\program\\soffice.bin",
      "FixName": "Apache OpenOffice"
    }
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 501: Compatibility fix applied to Flags.

Provider: Microsoft-Windows-Application-Experience
Channel: Operational

Description

Compatibility fix applied to Flags.

Message #

Compatibility fix applied to %5.
Fix information: %6, %3, %4.

Fields #

Name	Description
`ProcessId` UInt32
`StartTime` FILETIME
`FixID` GUID
`Flags` HexInt32
`ExePath` UnicodeString
`FixName` UnicodeString

Event ID 502: Compatibility fix applied to PackageCode.

Provider: Microsoft-Windows-Application-Experience
Channel: Program-Telemetry

Description

Compatibility fix applied to PackageCode.

Message #

Compatibility fix applied to %7.
Fix information: %8, %3, %4.

Fields #

Name	Description
`ClientProcessId` UInt32
`ClientStartTime` FILETIME
`FixID` GUID
`Flags` HexInt32
`ProductCode` GUID
`PackageCode` GUID
`MsiPath` UnicodeString
`FixName` UnicodeString

Event ID 503: Compatibility fix applied to PackageCode.

Provider: Microsoft-Windows-Application-Experience
Channel: Operational

Description

Compatibility fix applied to PackageCode.

Message #

Compatibility fix applied to %7.
Fix information: %8, %3, %4.

Fields #

Name	Description
`ClientProcessId` UInt32
`ClientStartTime` FILETIME
`FixID` GUID
`Flags` HexInt32
`ProductCode` GUID
`PackageCode` GUID
`MsiPath` UnicodeString
`FixName` UnicodeString

Event ID 504: PCA was informed about fix FixName applied to process.

Provider: Microsoft-Windows-Application-Experience
Channel: Analytic

Description

PCA was informed about fix FixName applied to process.

Message #

PCA was informed about fix %2 applied to process.

Fields #

Name	Description
`FixNameLength` UInt32
`FixName` UnicodeString
`FixType` UInt32

Event ID 505: Compatibility fix applied to CompatibilityFixEvent.ExePath.

Provider: Microsoft-Windows-Application-Experience
Channel: Program-Telemetry
Level: Informational

Description

Compatibility fix applied to CompatibilityFixEvent.ExePath.

Message #

Compatibility fix applied to %5.
Fix information: %6, %3, %4.

Fields #

Name	Description
`ProcessId`
`StartTime`
`FixID`
`Flags`
`ExePath`
`FixName`

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Application-Experience",
    "guid": "EEF54E71-0661-422D-9A98-82FD4940B820",
    "event_source_name": "",
    "event_id": 505,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 576460752303423488,
    "time_created": "2023-11-06T01:51:42.489178+00:00",
    "event_record_id": 265,
    "correlation": {},
    "execution": {
      "process_id": 21364,
      "thread_id": 8156
    },
    "channel": "Microsoft-Windows-Application-Experience/Program-Telemetry",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-21-1992711665-1655669231-58201500-1000"
    }
  },
  "user_data": {
    "CompatibilityFixEvent": {
      "ProcessId": 21364,
      "StartTime": 1699235502.3153903,
      "FixID": "6F36AB95-595F-497D-9001-86DAD299B6FA",
      "Flags": 2147549701,
      "ExePath": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe",
      "FixName": "AppDefaults"
    }
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 600: An instance of the Steps Recorder ran with the following information.

Provider: Microsoft-Windows-Application-Experience
Channel: Steps-Recorder

Description

An instance of the Steps Recorder ran with the following information.

Message #

An instance of the Steps Recorder ran with the following information:

StartTime: %1
StopTime: %2
Action Count: %3
Missed Action Count: %4
Output file location: %5

Fields #

Name	Description
`StartTime` FILETIME	[An instance of the Steps Recorder ran with the following information] StartTime.
`StopTime` FILETIME	[An instance of the Steps Recorder ran with the following information] StopTime.
`ActionCount` UInt32
`MissedActionCount` UInt32
`OutputFileLocation` UnicodeString

Event ID 601: An instance of the Steps Recorder terminated with the following error code: ErrorCode.

Provider: Microsoft-Windows-Application-Experience
Channel: Steps-Recorder

Description

An instance of the Steps Recorder terminated with the following error code: ErrorCode.

Message #

An instance of the Steps Recorder terminated with the following error code: %1

Fields #

Name	Description
`ErrorCode` UInt32

Event ID 700: The Application Impact Telemetry (AIT) Agent terminated with the following error code: FailureCode.

Provider: Microsoft-Windows-Application-Experience
Channel: Program-Telemetry

Description

The Application Impact Telemetry (AIT) Agent terminated with the following error code: FailureCode.

Message #

The Application Impact Telemetry (AIT) Agent terminated with the following error code: %1

Fields #

Name	Description
`FailureCode` HexInt32	NTSTATUS reference

Event ID 701: The Application Impact Telemetry (AIT) Agent is not running because AIT is disabled.

Provider: Microsoft-Windows-Application-Experience
Channel: Program-Telemetry

Description

The Application Impact Telemetry (AIT) Agent is not running because AIT is disabled.

Message #

The Application Impact Telemetry (AIT) Agent is not running because AIT is disabled.

Event ID 702: The Application Impact Telemetry (AIT) Agent is stopping because another instance is already running.

Provider: Microsoft-Windows-Application-Experience
Channel: Program-Telemetry

Description

The Application Impact Telemetry (AIT) Agent is stopping because another instance is already running.

Message #

The Application Impact Telemetry (AIT) Agent is stopping because another instance is already running.

Event ID 703: The Application Impact Telemetry (AIT) Agent was unable to parse the command-line options with error code: FailureCode.

Provider: Microsoft-Windows-Application-Experience
Channel: Program-Telemetry

Description

The Application Impact Telemetry (AIT) Agent was unable to parse the command-line options with error code: FailureCode.

Message #

The Application Impact Telemetry (AIT) Agent was unable to parse the command-line options with error code: %1.

Fields #

Name	Description
`FailureCode` HexInt32	NTSTATUS reference

Event ID 704: The Application Impact Telemetry (AIT) Agent was unable to process the logs files with error code: FailureCode.

Provider: Microsoft-Windows-Application-Experience
Channel: Program-Telemetry

Description

The Application Impact Telemetry (AIT) Agent was unable to process the logs files with error code: FailureCode.

Message #

The Application Impact Telemetry (AIT) Agent was unable to process the logs files with error code: %1.

Fields #

Name	Description
`FailureCode` HexInt32	NTSTATUS reference

Event ID 705: The Application Impact Telemetry (AIT) Agent was unable to start application impact SQM with error code: FailureCode.

Provider: Microsoft-Windows-Application-Experience
Channel: Program-Telemetry

Description

The Application Impact Telemetry (AIT) Agent was unable to start application impact SQM with error code: FailureCode.

Message #

The Application Impact Telemetry (AIT) Agent was unable to start application impact SQM with error code: %1.

Fields #

Name	Description
`FailureCode` HexInt32	NTSTATUS reference

Event ID 706: The Application Impact Telemetry (AIT) Agent was unable to log application impact data to SQM with error code: FailureCode.

Provider: Microsoft-Windows-Application-Experience
Channel: Program-Telemetry

Description

The Application Impact Telemetry (AIT) Agent was unable to log application impact data to SQM with error code: FailureCode.

Message #

The Application Impact Telemetry (AIT) Agent was unable to log application impact data to SQM with error code: %1.

Fields #

Name	Description
`FailureCode` HexInt32	NTSTATUS reference

Event ID 707: The Application Impact Telemetry (AIT) Agent was unable to start system telemetry with error code: FailureCode.

Provider: Microsoft-Windows-Application-Experience
Channel: Program-Telemetry

Description

The Application Impact Telemetry (AIT) Agent was unable to start system telemetry with error code: FailureCode.

Message #

The Application Impact Telemetry (AIT) Agent was unable to start system telemetry with error code: %1.

Fields #

Name	Description
`FailureCode` HexInt32	NTSTATUS reference

Event ID 708: The Application Impact Telemetry (AIT) Agent was unable to log system telemetry data to SQM with error code: FailureCode.

Provider: Microsoft-Windows-Application-Experience
Channel: Program-Telemetry

Description

The Application Impact Telemetry (AIT) Agent was unable to log system telemetry data to SQM with error code: FailureCode.

Message #

The Application Impact Telemetry (AIT) Agent was unable to log system telemetry data to SQM with error code: %1.

Fields #

Name	Description
`FailureCode` HexInt32	NTSTATUS reference

Event ID 800: An instance of Program Data Updater (PDU) ran with the following information: StartTime: {StartTime}; StopTime: {StopTime}; ExitCode: {ExitCode}; N...

Provider: Microsoft-Windows-Application-Experience
Channel: Program-Inventory

Message #

An instance of Program Data Updater (PDU) ran with the following information: StartTime: {StartTime}; StopTime: {StopTime}; ExitCode: {ExitCode}; Number of new programs: {NumNewPrograms}; Number of removed programs: {NumRemovedPrograms}; Number of updated programs: {NumUpdatedPrograms}; Number of installed programs: {NumInstalledPrograms}; Number of new orphan files: {NumNewOrphans}; Number of new add-ons: {NumNewAddOns}; Number of removed add-ons: {StartTime}0; Number of updated add-ons: {StartTime}1; Number of installed add-ons: {StartTime}2; Number of new installations: {StartTime}3

Fields #

Name	Description
`StartTime`
`StopTime`
`ExitCode`
`NumNewPrograms`
`NumRemovedPrograms`
`NumUpdatedPrograms`
`NumInstalledPrograms`
`NumNewOrphans`
`NumNewAddOns`

Event ID 900: An Internet Explorer add-on was installed on the system.

Provider: Microsoft-Windows-Application-Experience
Channel: Program-Inventory

Description

An Internet Explorer add-on was installed on the system. For details; please examine the event data.Name: {Name}Type: {Type}Publisher: {Publisher}CLSID: {CLSID}.

Message #

An Internet Explorer add-on was installed on the system. For details; please examine the event data.Name: {Name}Type: {Type}Publisher: {Publisher}CLSID: {CLSID}

Fields #

Name	Description
`Name`
`Type`
`Publisher`
`CLSID`

Event ID 901: An Internet Explorer add-on was updated on the system.

Provider: Microsoft-Windows-Application-Experience
Channel: Program-Inventory

Description

An Internet Explorer add-on was updated on the system. For details; please examine the event data.Name: {Name}Type: {Type}Publisher: {Publisher}CLSID: {CLSID}.

Message #

An Internet Explorer add-on was updated on the system. For details; please examine the event data.Name: {Name}Type: {Type}Publisher: {Publisher}CLSID: {CLSID}

Fields #

Name	Description
`Name`
`Type`
`Publisher`
`CLSID`

Event ID 902: An Internet Explorer add-on was removed from the system.

Provider: Microsoft-Windows-Application-Experience
Channel: Program-Inventory

Description

An Internet Explorer add-on was removed from the system. For details; please examine the event data.Name: {Name}Type: {Type}Publisher: {Publisher}CLSID: {CLSID}.

Message #

An Internet Explorer add-on was removed from the system. For details; please examine the event data.Name: {Name}Type: {Type}Publisher: {Publisher}CLSID: {CLSID}

Fields #

Name	Description
`Name`
`Type`
`Publisher`
`CLSID`

Event ID 903: A program was installed on the system.

Provider: Microsoft-Windows-Application-Experience
Channel: Program-Inventory
Collection Priority: Recommended (NSA)

Description

A program was installed on the system. For details; please examine the event data.Name: {Name}Version: {Version}Publisher: {Publisher}.

Message #

A program was installed on the system. For details; please examine the event data.Name: {Name}Version: {Version}Publisher: {Publisher}

Fields #

Name	Description
`Name`
`Version`
`Publisher`

Event ID 904: A program was installed on the system.

Provider: Microsoft-Windows-Application-Experience
Channel: Program-Inventory
Collection Priority: Recommended (NSA)

Description

A program was installed on the system. For details; please examine the event data.Name: {Name}Version: {Version}Publisher: {Publisher}.

Message #

A program was installed on the system. For details; please examine the event data.Name: {Name}Version: {Version}Publisher: {Publisher}

Fields #

Name	Description
`Name`
`Version`
`Publisher`

Event ID 905: A program was updated on the system.

Provider: Microsoft-Windows-Application-Experience
Channel: Program-Inventory
Collection Priority: Recommended (NSA)

Description

A program was updated on the system. For details; please examine the event data.Name: {Name}Version: {Version}Publisher: {Publisher}.

Message #

A program was updated on the system. For details; please examine the event data.Name: {Name}Version: {Version}Publisher: {Publisher}

Fields #

Name	Description
`Name`
`Version`
`Publisher`

Event ID 906: A program was updated on the system.

Provider: Microsoft-Windows-Application-Experience
Channel: Program-Inventory
Collection Priority: Recommended (NSA)

Description

A program was updated on the system. For details; please examine the event data.Name: {Name}Version: {Version}Publisher: {Publisher}.

Message #

A program was updated on the system. For details; please examine the event data.Name: {Name}Version: {Version}Publisher: {Publisher}

Fields #

Name	Description
`Name`
`Version`
`Publisher`

Event ID 907: A program was removed from the system.

Provider: Microsoft-Windows-Application-Experience
Channel: Program-Inventory
Collection Priority: Recommended (NSA)

Description

A program was removed from the system. For details; please examine the event data.Name: {Name}Version: {Version}Publisher: {Publisher}.

Message #

A program was removed from the system. For details; please examine the event data.Name: {Name}Version: {Version}Publisher: {Publisher}

Fields #

Name	Description
`Name`
`Version`
`Publisher`

Event ID 908: A program was removed from the system.

Provider: Microsoft-Windows-Application-Experience
Channel: Program-Inventory
Collection Priority: Recommended (NSA)

Description

A program was removed from the system. For details; please examine the event data.Name: {Name}Version: {Version}Publisher: {Publisher}.

Message #

A program was removed from the system. For details; please examine the event data.Name: {Name}Version: {Version}Publisher: {Publisher}

Fields #

Name	Description
`Name`
`Version`
`Publisher`

Event ID 909: AMI cache update failure.

Provider: Microsoft-Windows-Application-Experience
Channel: Compatibility-Infrastructure-Debug

Description

AMI cache update failure.File path: {FilePath}File ID: {FileID}Program ID: {ProgramID}Error Code: {ErrorCode}.

Message #

AMI cache update failure.File path: {FilePath}File ID: {FileID}Program ID: {ProgramID}Error Code: {ErrorCode}

Fields #

Name	Description
`FilePath`
`FileID`
`ProgramID`
`ErrorCode`

Event ID 910: task_0910

Provider: Microsoft-Windows-Application-Experience
Channel: Operational

Fields #

Name	Description
`ProgramID` UnicodeString
`Name` UnicodeString
`Publisher` UnicodeString
`Version` UnicodeString
`Language` UnicodeString
`ProgramType` UnicodeString

Event ID 911: task_0911

Provider: Microsoft-Windows-Application-Experience
Channel: Operational

Fields #

Name	Description
`ProgramID` UnicodeString
`FilePath` UnicodeString

Event ID 1003: Installer cancel click detected.

Provider: Microsoft-Windows-Application-Experience
Channel: Analytic

Description

Installer cancel click detected.

Message #

Installer cancel click detected.

Fields #

Name	Description
`ExtraDataSize` UInt32
`ExtraData` Binary

Event ID 1004: InstallerShield detected.

Provider: Microsoft-Windows-Application-Experience
Channel: Analytic

Description

InstallerShield detected.

Message #

InstallerShield detected.

Fields #

Name	Description
`ExtraDataSize` UInt32
`ExtraData` Binary

Event ID 1005: File installed.

Provider: Microsoft-Windows-Application-Experience
Channel: Analytic

Description

File installed.

Message #

File installed.

Fields #

Name	Description
`ExtraDataSize` UInt32
`ExtraData` Binary

Event ID 1006: New arp key.

Provider: Microsoft-Windows-Application-Experience
Channel: Analytic

Description

New arp key.

Message #

New arp key.

Fields #

Name	Description
`ExtraDataSize` UInt32
`ExtraData` Binary

Event ID 1100: DirectX detection: HighDPIAware.

Provider: Microsoft-Windows-Application-Experience
Channel: Analytic

Description

DirectX detection: HighDPIAware.

Message #

DirectX detection: HighDPIAware.

Fields #

Name	Description
`Flags` UInt32
`ExtraDataSize` UInt32
`ExtraData` Binary

Event ID 1101: DirectX detection: MaximizedWindowedMode.

Provider: Microsoft-Windows-Application-Experience
Channel: Analytic

Description

DirectX detection: MaximizedWindowedMode.

Message #

DirectX detection: MaximizedWindowedMode.

Fields #

Name	Description
`Flags` UInt32
`ExtraDataSize` UInt32
`ExtraData` Binary

Event ID 1102: DirectX detection: AdaptWindowToDisplayMode.

Provider: Microsoft-Windows-Application-Experience
Channel: Analytic

Description

DirectX detection: AdaptWindowToDisplayMode.

Message #

DirectX detection: AdaptWindowToDisplayMode.

Fields #

Name	Description
`Flags` UInt32
`ExtraDataSize` UInt32
`ExtraData` Binary

Event ID 2001: The Application Impact Telemetry (AIT) Static Analysis tool ran with the following results.

Provider: Microsoft-Windows-Application-Experience
Channel: Program-Telemetry

Description

The Application Impact Telemetry (AIT) Static Analysis tool ran with the following results.

Message #

The Application Impact Telemetry (AIT) Static Analysis tool ran with the following results:

Start time: %7
Stop time: %8
Runtime: %9
Exit code: %3
Type of analysis: %4
Number of files analyzed: %5
Number of files failed: %6
Analysis command: %10
Program ID: %11

Fields #

Name	Description
`cchIdAnalyzedIncludingNull` UInt16
`cchProgramIdIncludingNull` UInt16
`ExitCode` UInt32
`IdTypeAnalyzed` UInt32
`NumFilesAnalyzed` UInt32
`NumFilesFailed` UInt32
`StartTime` FILETIME
`StopTime` FILETIME
`RunTime` UInt64
`IdAnalyzed` UnicodeString
`ProgramId` UnicodeString

Event ID 2002: ErrorMessage.

Provider: Microsoft-Windows-Application-Experience
Channel: Compatibility-Infrastructure-Debug

Description

ErrorMessage

Message #

%1

Fields #

Name	Description
`ErrorMessage` AnsiString

Event ID 2003: The Application Impact Telemetry (AIT) Static Analysis tool ran with the following results.

Provider: Microsoft-Windows-Application-Experience
Channel: Program-Telemetry

Description

The Application Impact Telemetry (AIT) Static Analysis tool ran with the following results.

Message #

The Application Impact Telemetry (AIT) Static Analysis tool ran with the following results:

Start time: %7
Stop time: %8
Runtime: %9
Exit code: %3
Type of analysis: %4
Number of files analyzed: %5
Number of files failed: %6
Analysis command: %10
Program ID: %11

Fields #

Name	Description
`cchIdAnalyzedIncludingNull` UInt16
`cchProgramIdIncludingNull` UInt16
`ExitCode` UInt32
`IdTypeAnalyzed` UInt32
`NumFilesAnalyzed` UInt32
`NumFilesFailed` UInt32
`StartTime` FILETIME
`StopTime` FILETIME
`RunTime` UInt64
`IdAnalyzed` UnicodeString
`ProgramId` UnicodeString

Event ID 2005: QuirkName.

Provider: Microsoft-Windows-Application-Experience
Channel: Operational
Also via: realtime ETW trace
Level: Informational

Description

QuirkName

Message #

%3

Fields #

Name	Description
`ProcessId` UInt32
`QuirkId` UInt32
`QuirkName` UnicodeString
`CommandLine` UnicodeString
`Enabled` UInt8
`Forced` UInt8
`PackageFullName` UnicodeString
`ApplicationUserModelId` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Application-Experience",
    "guid": "{EEF54E71-0661-422D-9A98-82FD4940B820}",
    "event_source_name": "",
    "event_id": 2005,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": "0x0000000000000200",
    "time_created": "2026-06-02T05:07:41.969+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 17560,
      "thread_id": 20192
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "ApplicationUserModelId": "",
    "CommandLine": "",
    "Enabled": 0,
    "Forced": 0,
    "PackageFullName": "",
    "ProcessId": 17560,
    "QuirkId": 196608,
    "QuirkName": "WRL.PropagateErrorsFromDelegates"
  },
  "message": ""
}

Event ID 5001: The Program Compatibility Troubleshooter was invoked to correct a compatibility problem.

Provider: Microsoft-Windows-Application-Experience
Channel: Program-Compatibility-Troubleshooter

Description

The Program Compatibility Troubleshooter was invoked to correct a compatibility problem. Information about the application is below.

Message #

The Program Compatibility Troubleshooter was invoked to correct a compatibility problem. Information about the application is below.

Application name: %1
Application version: %2
Executable path: %3
Scenario ID: %4
Result: %5
Result ID: %6
Compatibility layer: %7
FileID: %8
ProgramID: %9

Fields #

Name	Description
`ApplicationName` UnicodeString
`ApplicationVersion` UnicodeString
`ExecutablePath` UnicodeString
`ScenarioId` UnicodeString
`Result` UnicodeString
`ResultID` UnicodeString
`CompatibilityLayer` UnicodeString
`FileID` UnicodeString
`ProgramID` UnicodeString

Event ID 5002: The Program Compatibility Troubleshooter queried the Compatibility Online Service for information about an application.

Provider: Microsoft-Windows-Application-Experience
Channel: Program-Compatibility-Troubleshooter

Description

The Program Compatibility Troubleshooter queried the Compatibility Online Service for information about an application. Results are below.

Message #

The Program Compatibility Troubleshooter queried the Compatibility Online Service for information about an application. Results are below.

Application name: %1
Application version: %2
Executable path: %3
Recommended layer: %4
URL: %5
Compatibility status: %6
FileID: %7
ProgramID: %8

Fields #

Name	Description
`ApplicationName` UnicodeString
`ApplicationVersion` UnicodeString
`ExecutablePath` UnicodeString
`RecommendedLayer` UnicodeString
`URL` UnicodeString
`CompatStatus` UInt32
`FileID` UnicodeString
`ProgramID` UnicodeString

Event ID 5003: The Program Compatibility Troubleshooter queried the application genome for information about an application.

Provider: Microsoft-Windows-Application-Experience
Channel: Program-Compatibility-Troubleshooter

Description

The Program Compatibility Troubleshooter queried the application genome for information about an application. Results are below.

Message #

The Program Compatibility Troubleshooter queried the application genome for information about an application. Results are below.

Application name: %1
Application version: %2
Executable path: %3
Recommended layer: %4
Vista+: %5
FileID: %6
ProgramID: %7

Fields #

Name	Description
`ApplicationName` UnicodeString
`ApplicationVersion` UnicodeString
`ExecutablePath` UnicodeString
`RecommendedLayer` UnicodeString
`VistaPlus` UInt32
`FileID` UnicodeString
`ProgramID` UnicodeString

Event ID 5004: Program Compatibility Troubleshooter debug event.

Provider: Microsoft-Windows-Application-Experience
Channel: Program-Compatibility-Troubleshooter

Description

Program Compatibility Troubleshooter debug event.

Message #

Program Compatibility Troubleshooter debug event:
%1
%2

Fields #

Name	Description
`DebugString` UnicodeString
`qwData` UInt64

Event ID 8000: Detector shim: SHORT_RUN_TIME.

Provider: Microsoft-Windows-Application-Experience
Channel: Analytic

Description

Detector shim: SHORT_RUN_TIME.

Message #

Detector shim: SHORT_RUN_TIME.

Fields #

Name	Description
`Flags` UInt32
`ExtraDataSize` UInt32
`ExtraData` Binary

Event ID 8001: Detector shim: ACCESS_DENIED.

Provider: Microsoft-Windows-Application-Experience
Channel: Analytic

Description

Detector shim: ACCESS_DENIED.

Message #

Detector shim: ACCESS_DENIED.

Fields #

Name	Description
`Flags` UInt32
`ExtraDataSize` UInt32
`ExtraData` Binary

Event ID 8002: Detector shim: BLACK_SCREEN.

Provider: Microsoft-Windows-Application-Experience
Channel: Analytic

Description

Detector shim: BLACK_SCREEN.

Message #

Detector shim: BLACK_SCREEN.

Fields #

Name	Description
`Flags` UInt32
`ExtraDataSize` UInt32
`ExtraData` Binary

Event ID 8003: Detector shim: WIN32_EXCEPTION: ExtraDataSize.

Provider: Microsoft-Windows-Application-Experience
Channel: Analytic

Description

Detector shim: WIN32_EXCEPTION: ExtraDataSize.

Message #

Detector shim: WIN32_EXCEPTION: %3.

Fields #

Name	Description
`Flags` UInt32
`ExtraDataSize` UInt32
`ExtraData` Binary

Event ID 8004: Detector shim: GLOBAL_OBJECT.

Provider: Microsoft-Windows-Application-Experience
Channel: Analytic

Description

Detector shim: GLOBAL_OBJECT.

Message #

Detector shim: GLOBAL_OBJECT.

Fields #

Name	Description
`Flags` UInt32
`ExtraDataSize` UInt32
`ExtraData` Binary

Event ID 8005: Detector shim: PRIVILEGE_CHECK.

Provider: Microsoft-Windows-Application-Experience
Channel: Analytic

Description

Detector shim: PRIVILEGE_CHECK.

Message #

Detector shim: PRIVILEGE_CHECK.

Fields #

Name	Description
`Flags` UInt32
`ExtraDataSize` UInt32
`ExtraData` Binary

Event ID 8006: Detector shim: MESSAGE_BOX_VERSION.

Provider: Microsoft-Windows-Application-Experience
Channel: Analytic

Description

Detector shim: MESSAGE_BOX_VERSION.

Message #

Detector shim: MESSAGE_BOX_VERSION.

Fields #

Name	Description
`Flags` UInt32
`ExtraDataSize` UInt32
`ExtraData` Binary

Event ID 8007: Detector shim: MESSAGE_BOX_PRIVILEGE.

Provider: Microsoft-Windows-Application-Experience
Channel: Analytic

Description

Detector shim: MESSAGE_BOX_PRIVILEGE.

Message #

Detector shim: MESSAGE_BOX_PRIVILEGE.

Fields #

Name	Description
`Flags` UInt32
`ExtraDataSize` UInt32
`ExtraData` Binary

Event ID 8008: Detector shim: MESSAGE_BOX_ERROR_ICON.

Provider: Microsoft-Windows-Application-Experience
Channel: Analytic

Description

Detector shim: MESSAGE_BOX_ERROR_ICON.

Message #

Detector shim: MESSAGE_BOX_ERROR_ICON.

Fields #

Name	Description
`Flags` UInt32
`ExtraDataSize` UInt32
`ExtraData` Binary

Event ID 8010: Detector shim: REG_EXPAND_SZ.

Provider: Microsoft-Windows-Application-Experience
Channel: Analytic

Description

Detector shim: REG_EXPAND_SZ.

Message #

Detector shim: REG_EXPAND_SZ.

Fields #

Name	Description
`Flags` UInt32
`ExtraDataSize` UInt32
`ExtraData` Binary

Event ID 8011: Detector shim: DWM_8AND16_MODE.

Provider: Microsoft-Windows-Application-Experience
Channel: Analytic

Description

Detector shim: DWM_8AND16_MODE.

Message #

Detector shim: DWM_8AND16_MODE.

Fields #

Name	Description
`Flags` UInt32
`ExtraDataSize` UInt32
`ExtraData` Binary

Event ID 8012: Detector shim: KERNEL_DRIVER.

Provider: Microsoft-Windows-Application-Experience
Channel: Analytic

Description

Detector shim: KERNEL_DRIVER.

Message #

Detector shim: KERNEL_DRIVER.

Fields #

Name	Description
`Flags` UInt32
`ExtraDataSize` UInt32
`ExtraData` Binary

Event ID 16000: task_016000

Provider: Microsoft-Windows-Application-Experience
Channel: Operational

Fields #

Name	Description
`Name` UnicodeString
`CommandLine` UnicodeString
`RoutingMode` UnicodeString
`Class` UnicodeString
`HostDll` UnicodeString
`InExMode` UnicodeString
`InExIncludes` UnicodeString
`InExExcludes` UnicodeString

Event ID 16001: task_016001

Provider: Microsoft-Windows-Application-Experience
Channel: Operational

Fields #

Name	Description
`Name` UnicodeString
`Type` UnicodeString

Event ID 16002: task_016002

Provider: Microsoft-Windows-Application-Experience
Channel: Operational

Fields #

Name	Description
`Name` UnicodeString

Event ID 16003: task_016003

Provider: Microsoft-Windows-Application-Experience
Channel: Operational

Fields #

Name	Description
`Name` UnicodeString
`CommandLine` UnicodeString
`Enabled` Boolean

Event ID 16010: task_016010

Provider: Microsoft-Windows-Application-Experience
Channel: Operational

Fields #

Name	Description
`ModuleToHook` UnicodeString
`HookModule` AnsiString
`HookApi` AnsiString
`Hooked` Boolean
`Reason` UnicodeString

Event ID 16011: task_016011

Provider: Microsoft-Windows-Application-Experience
Channel: Operational

Fields #

Name	Description
`Name` UnicodeString
`Patched` Boolean
`Reason` UnicodeString

Event ID 16012: task_016012

Provider: Microsoft-Windows-Application-Experience
Channel: Operational

Fields #

Name	Description
`Class` UnicodeString
`Interface` UnicodeString
`ApiIndex` UInt32
`Hooked` Boolean
`Reason` UnicodeString

Event ID 16100: task_016100

Provider: Microsoft-Windows-Application-Experience
Channel: Operational

Fields #

Name	Description
`ShimName` AnsiString
`Message` AnsiString

Event ID 16101: task_016101

Provider: Microsoft-Windows-Application-Experience
Channel: Operational

Fields #

Name	Description
`ShimName` AnsiString
`Message` AnsiString

Event ID 16102: task_016102

Provider: Microsoft-Windows-Application-Experience
Channel: Operational

Fields #

Name	Description
`ShimName` AnsiString
`Message` AnsiString

Event ID 16103: task_016103

Provider: Microsoft-Windows-Application-Experience
Channel: Operational

Fields #

Name	Description
`ShimName` AnsiString
`Message` AnsiString

Event ID 16110: task_016110

Provider: Microsoft-Windows-Application-Experience
Channel: Operational

Fields #

Name	Description
`ShimName` AnsiString
`ModuleName` AnsiString
`ApiName` AnsiString
`Info` AnsiString

Event ID 16111: task_016111

Provider: Microsoft-Windows-Application-Experience
Channel: Operational

Fields #

Name	Description
`ShimName` AnsiString
`ModuleName` AnsiString
`ApiName` AnsiString
`Info` AnsiString

Event ID 16112: task_016112

Provider: Microsoft-Windows-Application-Experience
Channel: Operational

Fields #

Name	Description
`ShimName` AnsiString
`ModuleName` AnsiString
`ApiName` AnsiString
`Info` AnsiString

Event ID 16113: task_016113

Provider: Microsoft-Windows-Application-Experience
Channel: Operational

Fields #

Name	Description
`ShimName` AnsiString
`ModuleName` AnsiString
`ApiName` AnsiString
`Info` AnsiString

Event ID 32764: Message.

Provider: Microsoft-Windows-Application-Experience
Channel: Compatibility-Infrastructure-Debug

Description

Message: Message

Message #

Message: %1

Fields #

Name	Description
`Message` AnsiString

Event ID 32765: Chain: Chain, Process: Process, Type: Type.

Provider: Microsoft-Windows-Application-Experience
Channel: Trace
Also via: realtime ETW trace
Level: Informational

Description

Chain: Chain, Process: Process, Type: Type.

Message #

Chain: %1, Process: %2, Type: %3
Component: %4
Message: %5

Fields #

Name	Description
`ChainID` UInt32
`ProcessID` UInt32
`Type` AnsiString
`Component` AnsiString
`Message` AnsiString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Application-Experience",
    "guid": "{EEF54E71-0661-422D-9A98-82FD4940B820}",
    "event_source_name": "",
    "event_id": 32765,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": "0x2000000000000000",
    "time_created": "2026-06-02T05:07:42.964+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{5CD02377-E707-4E90-899C-B6D5216D3A93}"
    },
    "execution": {
      "process_id": 1096,
      "thread_id": 19580
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "ChainID": 0,
    "Component": "External",
    "Message": "Ignoring,Chain not found",
    "ProcessID": 4136,
    "Type": "TRACE"
  },
  "message": ""
}

Event ID 32766: Message.

Provider: Microsoft-Windows-Application-Experience
Channel: Analytic

Description

Message: Message

Message #

Message: %1

Fields #

Name	Description
`Message` AnsiString

Event ID 32767: Message.

Provider: Microsoft-Windows-Application-Experience
Channel: Compatibility-Infrastructure-Debug

Description

Message: Message

Message #

Message: %1

Fields #

Name	Description
`Message` AnsiString

Provenance

Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.

ETW provider GUID {EEF54E71-0661-422D-9A98-82FD4940B820}

Defined in aeevts.dll, which carries the event manifest.

Observed on:

WS2022-20348.4893, sample captured from a live trace, binary version 10.0.20348.1, captured 2026-06-02
WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.1, captured 2026-06-02
Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.1, captured 2026-06-02

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)